====== BPF ====== 
{{:cheatsheet:bpftrace_probes_2018.png|}}
===== BPFtrace =====
Get all ran bash command
<code>
bpftrace -e 'uretprobe:/bin/bash:readline { time("%H:%M:%S  ");
    printf("%-6d %s %5d (%s) -", pid, str(retval), uid, username);
    cat("/proc/%d/environ", pid) ; printf("\n")}'
</code>